All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Let's Compare Great Firewall Strategies
Here's what I am aware of working right here and now. Also, where I am, Google.com is still totally dead.
Softether (Very nice-- if anyone has teamed multiple softether VPSes to do load balancing, I'd love to hear their techniques. This feeds my desktop and laptop their Internet.)
Shadowsocks - Also good, but seems to be slowing down. I have been thinking that maybe GFW is getting wise to it, or it could be my imagination. I use it via FQrouter on Android.
Gohop - I had high hopes for Gohop, but each time I've implemented it, dear lord it's been slower than dirt. Anyone have better luck than me? Am I missing something crucial with this one?
Goagent - these days it is far too unreliable dead due to the google ban. used to be a go-to for me, but now it's a last resort.
What I'd like to try:
-Scrambled OpenVPN (If I get the softether teaming/bonding/voodoo routing to work though, I won't really have any reason to give this a shot)
Tinc - Thanks _rm!
How I believe I will configure this in the end:
Use a raspberry Pi or similar connected to my wifi router to host all of the VPN connections & keep traffic bound for sites in the mainland from heading out to any of the VPSes & keep pandora.com pointed to a US VPS.
Am I missing any of the mainstream generation v.2.5 of circumvention tools?
Thanks!
Comments
Thousands of people have no problem launching bruce force attacks from .cn IPs (about 90% of the CSF/LDF alerts I get), so I think maybe the problem is not circumventing the Great Firewall but rather improving and hardening it :-)
If you think that, you've never lived behind it. Dude there's no GOOGLE in china at the moment. The further this place goes from "global mainstream" the higher the likelihood of an "event" based on a totally misinformed populace that goes a hell of a lot further than a brute force attack.
I really like it here. I'm totally serious.
ONLY the GFW has caused me to consider moving, and its negative effects are visible on all parts of society, from kids who literally do not know what Google is, to a population that is to a very large extent completely disconnected from the global Internet discourse and therefore vulnerable to all sorts of manipulation.
NOTHING else here is really an issue. I think of it like this and I do not think it is an unfair rationalization: China isn't so nice to dissidents. America isn't so nice to dissidents, afghans getting married, and Iraqis. This isn't to say that either has a morally justified government, but to put it in perspective for people who simply cannot believe that I'm happy here.
Muslims are able to practice freely (compare to Falun Gong practitioners) and while Obama is no doubt rubbing his hands together at the thought of skewering Snowden, Greenwald and Alan Rusbridger, press freedom is in a considerably better state than China as well.
All trolling aside, it looks like there are some guides on clustering SoftEther - they may be useful for you.
https://www.softether.org/4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.9_Clustering
https://www.softether.org/4-docs/1-manual/A._Examples_of_Building_VPN_Networks/10.8_Build_a_Large_Scale_Remote_Access_VPN_Service
Thanks ihatetony
!
How about a VPS coonecting via API to Solus to check their BW usage, and then change the A record of a domain?
Just to bring everybody up to date. After the GFW blocked Google on June 1st, they blocked Dropbox about two weeks ago and Onedrive yesterday.
Google:
http://www.google.com/transparencyreport/traffic/#expand=CN
Dropbox:
https://en.greatfire.org/dropbox.com
Onedrive:
https://en.greatfire.org/onedrive.live.com
I'm pretty sure the GFW already have the ability to detect Softether SSL VPN traffic. I have three VPSes with Softether installed and all three of them blocked in China since June. One of the VPSes with Softether was rarely used. However, your experience may vary and it depends on your ISP and which part of China you are living in.
Hm-- allow me to give a little more detail on GFW and on my situation. So, I am quite sure that I am not in any way maxing out the CPU-- users are me, my SO & 2 friends who followed me here from home.
FYI, I have:
Astrill Subscription - SImple GFW avoidance. Getting shakier and shakier every day though.
2x weloveservers.net (Buffalo & LA)- Latency is quite bad as is throughput-- ~400ms avg & ~10-20KB/sec downloads. Peering is probably the issue here, but with GFW you never, ever truly know.
1x ramnode.com Seattle - Better than WLS Buffalo & LA, but still ~200-400ms & 20KB/sec in downloads. Peering is probably the issue here, but with GFW you never, ever truly know.
1x digitalocean Singapore - 100ms ping & maybe 100KB/sec in downloads
2x (Chinese letters here) WIndows VPS in HK; identical performance -- ping is rarely over 50ms and each connection gets me 100-500KBPS throughput. HK servers are molested less by GFW.
The main isssue is speed but there are 2 sets of issues:
KBPS in HK's case, ping is ~50ms (truly fat pipes are very expensive and often don't get much over the ~100-500KBPS that I get from 1x HK server)
Here's what we (the users) want:
We'd like to accomplish a single connection that stays inside China for sites like Baidu & Taobao (this part is fully accomplished on the client PCs)
We don't want to have to fiddle with the damn thing. We'd like it to toss us as much bandwdith as possible. If you're wondering "dude why so many boxen!?!" well, I needed to test this out somehow.
It seems like the docs here pointed me towards high user-count solutions. I'm kinda looking for teaming or bonding of the disprate connections as well as a few bits of routing goodness (for example pandora should always go to the US boxes, etc...)
What I'm looking to do is use all of the VPS-age I've assembled together (teaming, bonding, something else?) to achieve reasonable speed & reliability.
Is this just madness?
Oh, Crap! I was a very heavy OneDrive user..... till yesterday. This is getting insane. Can't really call this the Internet anymore. I do like it here, but... The Internet is something I've made a core tenet of my beliefs about life.... and for that matter my career both here and in the US. Sigh. Mr. Xi, WHY?!
I'm not sure what's your end goal, but if just to visit blocked websites, then Tor Bridges with the OBFS3 transport should work, as those are built specifically to evade blocking; also this is free, unlike other VPS/VPN options, especially getting a VPS in HK.
Google might be blocking visits from Tor, so you'll have to use startpage.com
Speaking of which, why not try https://startpage.com/ directly, it's a proxy to Google search, and maybe it's not blocked by GFW.
rm_
My end goal is a little bit ludicrous:
To not have to notice GFW every time I use my PC, phone or tablet
That's why it's got to be so complex-- I am sick of wasting time with half-measures around the thing, you know?
@faddat Well for some more ideas, have you tried http://www.tinc-vpn.org/ ?
It's kind of a smaller project, perhaps much less well-known than OpenVPN, so maybe GFW admins didn't care enough to develop signatures to detect and block it.
I haven't and thank you
!
Every idea gets us one step closer....
Tinc looks downright hot! Quite suited to my needs, too! Thanks!
I am going to echo what halczy says also(I have a feeling we are in similiar area/isp, Guangdong/CT)
-all google service rendered useless. Search, maps, gmail and playstore(yes your smartphone won't get app update, I think IOS is unaffected there as everyone and their mother get brainwashed by that product.)
-softether is dead for me since a month ago, all my old setup are dead, the new installs I will get disconnected(internet) after reaching the server console). I was going to try scrambled openvpn but it does not work on non root android machine
-surprisingly my sister has some luck with vpngate which is supported by softether, as long as you are able to grab the credential before hand. I have yet to figure out why...
my current go to is standard ssh proxy as it is almost no setup required in server side. I heard many stories it is already detected and gfw actively banning them if you transport too much data over ssh, changing port won't help. They seem to die(unreachable by ping) after certain period of time and working again after a few days. So I have been getting many different vps provider to dodge the 'flavor' of the day. Not really the best tatics but so far it is the best way for me.
I have been to china several times over the years and every time it just get worse. TBH I doubt they will ever get rid of it. All I want is a decent connection to be able to hit any website(not even censored/blocked) within a reasonable amount of time, able to stream a short clip(non hd) if I preload them for a minute or 2. And a private IP so I won't get in trouble because of other's wrong doing.
is shadowsock any good? I am using bitvise client to do the ssh right now. And is there any vpn that works?
Jiangsu for me. I move to Shenzhen in a week. The Google outage is national. Can you tell me how you were running Softether? This is the first I've heard of it being detected..... but I've now heard it twice from y'all-- not a good sign!
Oh my horses & swearing! Softether just crapped the bed over here..... reconnected successfully, though.
I want to definitley recommend that you go the VPS route. I have Astrill commercial VPN, it's a very on and off affair, with a lot of strange routing errors. You could also run Softether through obfsproxy from tor.
Since my softether is now beginning to crap itself, I'm going to start trying to configure that Tinc into a mesh. If that by some chance works, I'll hook you up with an IP/pass & then you won't need to worry
!
Overall: My internet is the quality of camel feces on a hot day.
GFW already have the ability to detect Softether about one year or more ago, you can test to install a Softether VPN in a US vps, and after you installed, when you tried to visit the management web page from browser first time, GFW will block this ip immediately and keeping block it for about 3 months.
@faddat Don't have any experience with the GFW, but it kinda sounds like a DNS Proxy/DNS VPN type setup could work.
For example on my AppleTV and tablet I use a DNS proxy service that will handle 99.999% of DNS requests normally - but when I try to resolve Netflix/Hulu/Pandora/Spotify/etc the A record returned is actually a proxied IP in the US that will then go out and request the site/content.
So I get my normal speeds for unblocked sites, but when I want one of the blocked ones it'll just route that connection through the proxy.
You could have a DNS server hosted locally or on one of your various VPS's, where the requests for unblocked sites is handled normally, but when you request a blocked site it will give you a proxy IP that will then route that request through a box in the US/HK/Singapore/wherever.
Again, not 100% sure on how the GFW works - just a thought.
You are right. I'm in Guangzhou using CT.
My solution is to route OpenVPN traffic through Stunnel using port 443, so to GFW it just looks like normal HTTPS traffic. The Scrambled OpenVPN solution I posted on LET a while ago doesn't work anymore, since nowadays the GFW will just blocked any unidentifiable encrypted traffic.
Theoretically, you can route Softether traffic through Stunnel as well, but it looks like the GFW will periodically scan the target IP and it is able to tell if Softether is running or not.
half of the time I am located in shenzhen, I have never use the web interface, I just use ssh command or the server console which worked until ~may. Now it no longer works.
I run my softether setup in a non standard port with local bridge, password auth. With always reconnect on.
Not sure how you still have your softether working but I am willing to guess it is just a matter of time... @hotsnow I know GFW has the ability to detect softether long time ago, in fact I suspect most vpn as they always get disconnected after a while.
I have notice this option few days ago but have yet to try it.
For shadowsocks, use a lower port, 80 maybe.
For softether, don't manage the sever by direct connecting to it, my softether server had been blocked twice in recent 30 days.
It's been harder and harder to bypass GFW now. Maintain the bypass service is wasting a lot of my time. I have already bought several paid services as backup plans.
And there isn't only GFW, ISP hijacking insert all kinds of ads to network, really annoying.
IKEv1 VPN still works.
Sheath OpenVPN traffic as HTTPS web browsing: http://lowendtalk.com/discussion/25718/tutorial-openvpn-sheathing
Working with our tech team, we is helping 50+ persons to fight the censorship of the GFW. For free.
We had deployed a multi-node VPN system(PPTP, L2TP & Cisco IPSEC), which is no longer maintained due to the block of PPTP and L2TP. Now we are running a multi-node Shadowsocks system, with full IPv6 support to give CERNET users a better time. I am also a heavy user of this system for I do not want my University to scan my traffic. Have been running for 1.5 years, so far so good.
Why not try Lantern.https://www.getlantern.org/
DNS tunneling! will be slow though... http://code.kryo.se/iodine/
obfsproxy to tunnel anything tcp based (openvpn, ssh etc...), works like a charm and is almost impossible to block!
openvpn with a pre negotiated secret key also works when the firewall in question relies on using deep packet inspection.
I live in China now too,i use PPTP or L2TP with IPESC,no problem.Also you can try Shadowsocks,many of my friends told me it's a good way to "across" the GFW.
Does the Tor network not work?
To be honest, other threads on this forum kinda scare me away from Tor.